A new proof-of-concept (PoC) study has revealed a potential method to trick users of FIDO passkey authentication through Microsoft Entra ID into downgrading to a less secure sign-in method. The research, conducted by cybersecurity firm Proofpoint, highlights the risks that arise when users are presented with multiple authentication options, even when one of those options is considered highly secure.
FIDO-based authentication, which relies on passkeys tied to a physical device, is widely regarded as “phish-proof.” The protocol is designed so that an attacker cannot steal a user’s credentials remotely, as the authentication process requires access to the specific device in the user’s possession. However, the Proofpoint study shows that while FIDO itself is not compromised, users could be manipulated into selecting weaker authentication options that remain susceptible to phishing attacks.
The PoC attack exploits a limitation in how certain browsers interact with Microsoft Entra ID’s FIDO implementation. Specifically, some browsers do not fully support FIDO authentication. Proofpoint researchers leveraged this gap by spoofing a browser—Safari for Windows, which lacks full compatibility with Microsoft Entra ID—to create a phishing template, known as a “phishlet,” using the open-source Evilginx2 man-in-the-middle (MiTM) framework. Evilginx2 is commonly used to bypass two-factor authentication (2FA) in phishing campaigns by intercepting credentials and session cookies.
New Phishing Method Bypasses FIDO by Targeting User Choices
In practice, an attacker using this method would send a target a malicious link. When the user clicks the link, they encounter a FIDO authentication failure page generated from the spoofed browser agent. The page then prompts the user to sign in using an alternative method, such as a password or standard 2FA. If the user complies, the MiTM attack becomes successful: the attacker can capture both the user’s credentials and session cookies, potentially gaining full access to the account. Notably, this attack only works if the target account has fallback sign-in options enabled; if a user relies exclusively on FIDO authentication, the method would not succeed.
Importantly, Proofpoint stressed that the attack does not exploit a flaw in the FIDO protocol itself. “The attack described here does not reflect a vulnerability in passkeys or FIDO protocols. Rather, it illustrates the importance of service providers moving entirely away from passwords and other phishable sign-in methods as soon as possible,” Andrew Shikiar, CEO of the FIDO Alliance, told SC Media.
The FIDO Alliance has long advocated for minimizing or eliminating alternative sign-in methods that remain vulnerable to phishing. For service providers that still allow multiple authentication options, the organization recommends measures such as enforcing FIDO-only authentication for certain users or specific account features. By reducing the availability of less secure options, organizations can ensure that even if an attacker attempts a phishing campaign, the likelihood of success is significantly diminished.
Authentication hardware provider Yubico also commented on the findings, emphasizing the importance of adopting phishing-resistant authentication methods. “This proof-of-concept phishing attack underscores the risks associated with phishable authentication and highlights the importance of widespread passkey adoption,” a Yubico spokesperson told SC Media. They added that organizations should carefully evaluate all authentication flows, including account recovery processes, which are often targeted by attackers. Yubico recommends that identity providers and applications offer the ability to disable weaker multi-factor authentication (MFA) options to further safeguard accounts.
Proofpoint confirmed that, to date, they have not observed the PoC technique being used in real-world attacks. However, previous reports, such as those from cybersecurity firm Expel, have indicated attempts to bypass FIDO authentication through cross-device exploits. Expel later retracted their original claims, noting that such attacks require proximity to the key-holding device and are therefore unlikely to succeed at scale.
While no successful attacks leveraging this specific method have been reported in the wild, the study serves as a reminder that security is only as strong as its weakest link. Accounts that allow fallback authentication methods remain vulnerable, and attackers will continue to seek ways to exploit human behavior, such as prompting users to switch to less secure options.
Ultimately, the Proofpoint research reinforces the broader message advocated by both the FIDO Alliance and cybersecurity experts: passkeys and other phishing-resistant authentication methods should be prioritized wherever possible. Service providers and users alike are encouraged to minimize the use of phishable alternatives and to adopt rigorous security practices that reduce opportunities for attackers to manipulate account access. As more organizations transition to FIDO-only authentication models, the security landscape will strengthen—but vigilance is still required to address potential social engineering tactics that target users rather than the protocol itself.
Source- scworld
